User Error: The Root Cause of it All
To some degree, nearly every renowned cyberattack worthy of newscasts or print articles can be (or has been) blamed on a mistake made by a user within the victimized organization. Someone carelessly clicked on an attachment or followed a suspicious URL link; both guilty of having failed to recognize a phishing email.
Throughout the work-from-home experience or prior to every retail-associated holiday, news reports and articles advise users on how to protect themselves from malware and online threats. And rarely does that advice recommend anything other than some form of user awareness training and cybersecurity literacy.
From the inadvertent attachment of sensitive files to email to the sharing of credentials with an unsolicited call from a friendly, although entirely fake tech support specialist, individual users everywhere remain easily duped and victimized, or entirely oblivious to the potential security threats of nearly every action taken on their computers or digital devices.
User Education: The Fix for Everything
For every real and potential cyberthreat or user mistake on any device, there’s someone who believes in their heart of hearts that training and common sense will prevent it.
That new ransomware variant? Well, if your users won’t open messages from unknown senders, it won’t infect you. Stolen credit card or identity theft? Hmm—if they hadn’t clicked on that “Winning Sweepstakes” banner ad while reading online news it would have never happened. If only that user would have paid more attention to the IT support staff or learned a bit more about computer security before using their device.
Companies relentlessly champion this individual responsibility mindset, doing everything from investing heavily in regular security awareness training from internal and external experts to establishing teams to spot-check employees with randomized spoofed emails carrying malicious attachments or with social engineering tactics in hopes of compelling users to share account information or login credentials.
In every case, the thinking remains that by making users aware of the security threats out there, they can safely avoid them by being disciplined and vigilant, following their training precisely and extrapolating from that training to be suspicious of anything that may look, feel or smell like those specific threats of which they’ve been made aware.
Obviously, not enough.
Despite all that’s been tested and tried since the era of interconnected computing began, cyberattacks have not only persisted but have grown in scale, complexity, sophistication, notoriety, economic cost and ubiquity. From isolated teenaged tinkerers to vulnerability researchers to hackers backed by organized crime to state-sponsored cybercriminals, those who have chosen to dedicate their time, careers or lives to hacking had that choice because cyberattacks remain successful. Regardless of the percentages, the attacks work well and are successful often enough to guarantee more.
But as the vulnerability hunting and exploit creation industry matures, the notion of training users to defend themselves from these attacks and attackers needs to be reconsidered.
With connected devices in the hands of most people in the world, how much training would they require individually or collectively to withstand the repeated attempts of motivated hackers? How could any given employee in any given job role in a company of any size be expected to recognize and thwart every or any attack vector open to an attacker? For that matter, could an IT generalist or security specialist at a company stand toe-to-toe with and defeat opponents who are well-funded, often possessing world-class talents and able to bring to bear multifaceted attacks that include stepwise social engineering tactics?
Negative answers to the above should be enough to convince most that there’s no way to train users to a high enough standard to prevent all cybersecurity intrusions and data breaches, even if they can stop a few of the least sophisticated that should have been easily identified and blocked by mainstream security tools, such as virus scanning software.
The goal of most cybersecurity awareness training aims much lower, of course. Teaching users how to check full email addresses for spoofing, to distrust attachments of all types and sizes, to update operating systems and applications regularly or to challenge inbound requests for credentials, either online or over the phone. Even these basic strategies, though, can be undermined and exploited, as everything taught to your average user can be picked apart and abused by attackers. With an infinite number of ways to attack systems and networks versus the limited number of appliances and the applications used to build, sustain and secure them, hackers have the advantage in an ongoing, asymmetric battle.
What Will Giving Up Do?
For one thing, giving up will relieve users from the obligation of serving on the front lines of a defensive perimeter and free them to do the work for which they were hired. For another, it will free up the resources previously used for company-wide security training back to evaluations of security vendors and tools that can much better tackle security challenges without human mistakes, fatigue or disinterest. Finally, and most importantly, it will shift the responsibility of cybersecurity back to security personnel and solutions, and not on to users forced to use the equipment and applications to perform their roles entirely unrelated to IT management and security. Rely on automated tools and configurations, demand their greater performance and blame the culprits instead of the victims.
